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Abstract 

This paper proposes new exphcit formulas for the doubling and addition steps in Miller's algorithm to 
compute the Tate pairing on elliptic curves in Weierstrass and in Edwards form. For Edwards curves the 
formulas come from a new way of seeing the arithmetic. We state the first geometric interpretation of the 
group law on Edwards curves by presenting the functions which arise in addition and doubling. The Tate 
pairing on Edwards curves can be computed by using these functions in Miller's algorithm. 

Computing the sum of two points or the double of a point and the coefficients of the corresponding 
functions is faster with our formulas than with all previously proposed formulas for pairings on Edwards 
curves. They are even competitive with all published formulas for pairing computation on Weierstrass curves. 
We also improve the formulas for Tate pairing computation on Weierstrass curves in Jacobian coordinates. 
Finally, we present several examples of pairing-friendly Edwards curves. 

Key words: Pairings, Miller functions, explicit formulas, Edwards curves. 



1. Introduction 

Since their introduction to cryptography by Bernstein and Lange ^ , Edwards curves have received a lot 
of attention due to the fact that their group law can be computed very efficiently. The group law in affine form 
was introduced by Edwards in [l^ along with a description of the curve and several proofs of correctness. 
Remarkably none of the proofs provided a geometric interpretation while addition on Weierstrass curves is 
usually explained via the chord-and-tangent method. 

Cryptographic applications in discrete-logarithm-based systems such as Diffie-Hellman key exchange or 
digital signatures require efficient computation of scalar multiples and thus have benefited from the speedup 
in addition and doubling. The situation is significantly different in pairing-based cryptography where Miller's 
algorithm needs a function with divisor (P) + (Q) — {P + Q) — (O) for two input points P and Q, their 
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sum P + Q, and neutral element O. For curves in Weierstrass form these functions are readily given by the 
line functions in the usual addition and doubling. Edwards curves have degree 4 and thus any line passes 
through 4 curve points instead of 3. This led many to conclude that Edwards curves provide no benefit to 
pairings and are doomed to be slower than the Weierstrass counterparts. 

So far two papers have attempted to compute pairings efficiently on Edwards curves: Das and Sarkar [l3| 
use the birational equivalence to Weierstrass curves to map the points on the Edwards curve to a Weierstrass 
curve on which the usual line functions are then evaluated. This approach comes at a huge performance 
penalty as these implicit pairing formulas need many field operations to evaluate them. Das and Sarkar then 
focus on supersingular curves with embedding degree k = 2 and develop explicit formulas for that case. 

lonica and Joux [2^ use a different map to a curve of degree 3 and compute the 4-th power of the Tate 
pairing. The latter poses no problem for usage in protocols as long as all participating parties perform the 
same type of pairing computation. Their results are significantly faster than Das and Sarkar's but they are 
still much slower than pairings on Weierstrass curves. 

In this paper we close several important gaps: 

• We provide a geometric interpretation of the addition law for twisted Edwards curves. 

• We study additions, doublings, and all the special cases that appear as part of the geometric addition 
law for twisted Edwards curves. 

• We use the geometric interpretation of the group law to show how to compute the Tate pairing on 
twisted Edwards curves. 

• We give examples of ordinary pairing-friendly Edwards curves at several security levels. The curves 
have embedding degrees between 6 and 22. 

Beyond that, we develop explicit formulas for computing the Tate pairing on Edwards curves that 



solidly beat the results by Das and Sarkar [13[ and lonica and Joux [23 



• are as fast as the fastest previously published formulas for the doubling step on Weierstrass curves, 
namely curves with 04 = (e.g. Barreto-Naehrig curves) in Jacobian coordinates, and faster than 
other Weierstrass curves; 

• need the same number of field operations as the best published formulas for mixed addition in Jacobian 
coordinates; and 

• have minimal performance penalty for non-affine base points. 

In particular, for even embedding degree k the doubling step on an Edwards curve takes lM-|-lS-|-(fc-|- 
6)m -I- 5s, where m and s denote the costs of multiplication and squaring in the base field while M and S 
denote the costs of multiplication and squaring in the extension field of degree k. A mixed addition step 
takes IM -I- (fc -I- 12)m and an addition step takes IM -I- (fc -|- 14)m. Our method for pairing computation 
on Edwards curves can be used for all curves that can be represented in Edwards form over the base field. 

We also improve the addition and doubling steps on Weierstrass curves given by an equation = 

+ a4X + ag. We present the first explicit formulas for full addition steps on Weierstrass curves. The new 
formulas need IM -|- IS -f (fc -I- 6)m -I- 5s for a doubling step on curves with coefficient 04 — —3. On such 
curves a mixed addition step costs IM + (fc + 6)m + 6s and an addition step costs IM + (fc + 9)m + 6s. On 
curves with 04 = 0, the formulas take IM -I- IS -I- (fc + 3)m -I- 8s for a doubling step, IM + (fc + 6)m + 6s 
for a mixed addition, and IM -|- (fc -|- 9)m -I- 6s for an addition step. 

Our new formulas for Weierstrass curves are the fastest when using affine base points (except in the case 
04 — 0, ae = b^). For projective base points - a common case in pairing-based protocols - it is better to use 
Edwards curves. 
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2. Background on Pairings 

Let (J be a prime power not divisible by 2 and let E/Fq be an elliptic curve over Fq with neutral element 
denoted by O. Let n \ ^E{Fq) be a prime divisor of the group order and let E have embedding degree 
A; > 1 with respect to n, i. e. k is the smallest integer such that n \ — I. 

Let P € E{Fq)[n] and let fp £ Fq{E) be such that div(/p) = n{P) - n{0). Let fin C F*^ denote the 
group of 71-th roots of unity. The reduced Tate pairing is given by 

r„ : E{Fq)[n] x E{Fq.)/nE{Fq.) ^ {P,Q) >^ fp{Qy''''-^^/'\ 

Miller p6| suggested to compute pairings in an iterative manner. Let n = . . . , ni, no)2 be the binary 

representation of n, where = 1. Let gp s G Fq{E) be the function arising in the addition of two points 
R and S on E, i.e. gp^s is a function with dW{gp_s) = (R) + (5) — {R + S) — (O), where O denotes the 
neutral element in the group of points, R + S denotes the sum of R and S on E, and additions of the form 
(R) + (S) denote formal additions in the divisor group. Miller's algorithm starts with R = P, f = 1 and 
computes 

1. for i = ? - 2 to do 

(a) P-9B..RiQ). R^m, 

(b) if = 1 then / ^ / • gB„p{Q), R^R + P 

2. / ^ y(g''-l)/n_ 

Note that pairings can be combined with windowing methods by replacing the computation in step (b) 

by 

/ ^ / • fcAQ) ■ to,[c]p(0), R^R+ [c]P, 

where the current window in the binary representation of n corresponds to the value c. The Miller function 
fc,p is defined via div(/c,p) = c(P) — {[c]P) — (c — 1)(C). But windowing methods are rarely used because 
of the extra costs of IM for updating the variable /. 



/ / doubling step 
//addition step 



3. Formulas for Pairings on Weierstrass curves 

An elliptic curve over F^ in short Weierstrass form is given by an equation of the form = -|-a4a:;-|-a6 
with 04,06 G Fq. In this section we present new formulas for the addition and doubling step in Miller's 
algorithm that are faster than previous ones. Furthermore, we also cover the case of a non-affine base point. 

The fastest formulas for doublings on Weierstrass curves are given in Jacobian coordinates (cf. the 
EFD Q). A point is represented as {Xi : Yi : Zi) which for Zi corresponds to the affine point (xi, yi) 
with Xi = Xi/Zl and j/i = Yi/Zl. To obtain the full speed of pairings on Weierstrass curves it is useful 
to represent a point by (Xi : Yi : Z\ : Ti) with T\ = Z\. This allows one s — m tradeoff in the addition 
step compared with the usual representation {X\ :Y\:Z\). If the intermediate storage is an issue or if s 
is not much smaller than m, T\ should not be cached. We present the formulas including T\ below; the 
modifications to omit T\ are trivial. 

For 5 e {i?, P}, the function gp g for Weierstrass curves is given as the fraction of the usual line functions 

by 

^ 7, {yZl - Y^Z^) - \{XZl - X^Z^)ZZ^ 
gp,s{X ■.Y:Z) = (^X - cZ^)Z ' 

where A is the slope of the line through R and S (with multiplicities), {Xq : Yq ^ -^o) is a point on the line, 
and c is the cc-coordinate oi R + S. When one computes the Tate pairing, the point [Xq : Iq • ^o) and the 
constants A and c are defined over the base field Fq. The function is evaluated at a point Q = {Xq : Yq : Zq) 
defined over F„k. 
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We assume that k is even. This ahows us to use several improvements and speedups that are presented 
m i and i. As usual, let the field extension F^t be constructed via a quadratic subfield as F^* = (a), 
with = 5 for a non-square S G and let Q be chosen to be of the form Q = {xq : yga : 1) with 

^QtVq £ The latter is enforced by choosing a point Q' on a quadratic twist of E over F^fc/2 and 

defining Q as the image of Q' under the twist isomorphism. The denominator of gR_s{Q) is given by xq — c 
which is defined over the subfield . Thus only the numerator needs to be considered as all multiplicative 
contributions from proper subfields of F^k are mapped to 1 by the final exponentiation and can be discarded. 
Furthermore, for addition and doubling in Jacobian coordinates we can write A ~ L1/Z3, where Z3 is the 
z-coordinate of i? + 5 and Li depends on R and S. Since Z3 is defined over Fq, we can instead compute 
ZiiyQZ^a — Yq) — Li{xqZq — Xq)Zq giving gn^s up to factors from subfields of F^k. 

3.1. Addition steps 

In Miller's algorithm, all additions involve the base point as one input point so, when computing the 
line function, (Xq : Yq : ^0) can be chosen as the base point P and all values depending solely on P and Q 
can be precomputed at the beginning of the computation. For additions, P is always stated as the second 
summand, i.e. P = {X2 : Y2 : Z2). 

To enable an m — s tradeoff we compute 2gji,p{Q); this does not change the result of the computation 
since 2 £ Fq. Multiplications with xq and yq cost (fc/2)m each; for fc > 2 it is thus useful to rewrite the 
line function as 

/ = Z3 • 2yQZla - 2Z3 ■Y2-L,- {2{xqZI - X2)Z2), 

needing (fc + l)m for precomputed y'q = 2?/qZ|q! and x'q — 2{xqZ2 — ^2)^2. Additionally IM is needed 
to update the variable / in Miller's algorithm. 

Full addition. We use Bernstein and Langc's formulas ("add-2007-bl") from the EFD [6]. We can cache 
all values depending solely on P. In particular we precompute (or cache after the first addition or doubling) 
i?2 = Y^ and ^2 = T2 • Z2. The numerator of A is Li = - C. 

A =. Xi-T2; B^X2-Ti; 2Yi ■ S2; D ^ {{Y2 + Z^f - R2 - Ti) • Ti; 

H = B -A; I ^ {2Hf\ J ^ H ■ I- Li = D - C; V ^ A-I; 

X3 = Ll-J- 2V; Y3^Li-{V- X^) -2C-J; Z3 = {{Zi + ^2)^ - Ti - T2) ■ H- 

T3 = Zl l = Z:i-y'Q~{Y2 + Z:if+R2+n-Li-x'Q. 

The formulas need 1M + (fc + 9)m + 6s to compute the addition step. To our knowledge this is the first set of 
formulas for full (no n- mixed) addition. If m is not significantly more expensive than s, some computations 
should be performed differently. In particular, R2 needs not be stored, D is computed as Z? = 212 ■ Zi -Ti, 
I contains the term — 2I2 • ^3 instead of — (I2 + ^3)^ + R2 + T3, and the computation of Z3 can save some 
field additions. 

If the values Ti, R2, S2,T2, x'q, and j/q cannot be stored, different optimizations are needed; in particular 
the line function is computed as 

/ =. ((Z3 • Z2) ■ Zi) ■ yQa - Y2 ■ Z3 - (ii • Z2) ■ Zl ■ XQ + X2 ■ (Li • Z2) 

and the computation costs end up as IM + (fc + 17)m + 6s. 

Mixed addition. Mixed addition means that the second input point is in affine representation. Mixed 
additions occur in scalar multiplication if the base point P is given as (x2 : t/2 : !)• 

We now state the mixed addition formulas based on Bernstein and Lange's formulas ("add-2007-bl" ) 
from the EFD Q. Mixed additions are the usual case studied for pairings and the evaluation of the line 
function in (fc + l)m is standard. However, most implementations miss the s — m tradeoff in the main mixed 
addition formulas and do not compute the T-coordinate. 

B = X2-Ti; D = {{y2 + Zxf - i?2 - Ti) • Ti; H = B - Xi; I = H^- E ^ U- J ^ H ■ E; 

Li = (D- 2ri); V = Xi-E; X3^Ll-J-2V; Y3=r-iV~X3)- 2Yi • J; 

Z3 = {Zl + Hf -Ti-P,T3 = Zl l = 2Z3- yQa - {y2 + Z^f + i?2 + T3 - 2ii • {xq - X2). 
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The formulas need IM + (fc + 6)m + 6s to compute the mixed addition step. 
3.2. Doubling steps 

The main differences between the addition and the doubhng formulas are that the doubling formulas 
depend on the curve coefficients and that the point {Xq : Yq : Zq) appearing in the definition of g^^s is 
(Xi : Yi : Zi), which is changing at every step. So in particular Zq ^ 1 and no precomputations (like x'q or 
Uq in the addition step) can be done. 

For arbitrary 04 the equation of the slope is A = {3X^ + a^Zf) / {2YiZi) = {2>Xl + a^Z^) / Z^. Thus Z3 is 
divisible by Zi and we can replace Ihy V = l/Zi which will give the same result for the pairing computation. 
The value of 

I' = (Z3 • Zl) ■ VQa - 2Y^ - Li . Zl ■ xq + Xi ■ Li 

can be computed in at most (k + 3)m + Is for arbitrary 04 and with slightly less operations otherwise. 

The formulas by lonica and Joux '23^ take into account the doubling formulas from the EFD for general 
Weierstrass curves in Jacobian coordinates. We thus present new formulas for the more special curves with 
04 = —3 and 04 = 0. 

Doubling on curves with 04 = —3. The fastest doubling formulas are due to Bernstein (see Q "dbl- 
2001-b") and need 3m + 5s for the doubling. 

A = Y,^; B^Xi-A; C = 3(Xi - Ti) • {X^ + Ti); 
X3 = C2 - 8B; Z3 = {Yi + -A~Ti; Y3 ^ C ■ {AB ~ X3) - 8A^- 
I ^ (Z3 • Ti) ■yQa-2A-C-Ti-XQ+Xi-C; T3 = Zl 

The complete doubling step thus takes IM + IS + (fc + 6)m + 5s. Note that Li = C. 

Doubling on curves with 04 = 0. The following formulas compute a doubling in Im + 7s. Note that 
without Ti and computing Z3 = 2Yi ■ Z\ a doubling can be computed in 2m + 5s which is always faster (see 
[gI) but the line functions make use of Z\. Note further that here Li ^ E ^ SX^ is particularly simple. 

A = X^; B = YI; C = B^; D = 2{{Xi + Bf - A - C); E = 3A; G = E^] 
X3 = G-2D; Y3^E-{D-X3)-SC; Z3 = {Yi+Zi)^ -B-Ti; 

I = 2(Z3 • Ti) . yga ~ AB - 2E ■ Ti ■ xq + {Xi + Ef ~ A - G; T3 ^ Zl 

The complete doubling step thus takes IM + IS + (fc + 3)m + 8s. 



4. Geometric interpretation of the group law on twisted Edwards curves 

In this section K denotes a field of characteristic different from 2. A twisted Edwards curve over K is a 
curve given by an affine equation of the form E^.d : ax^ +y'^ — 1 + dx^y^ for a,d € K* and d. Twisted 
Edwards curves were introduced by Bernstein et al. in 5] as a generalization of Edwards curves Q which 
are included as Ei^^. An addition law on points of the curve ^a,d is given by 



/ . , I . ( xiy2+yiX2 yiy2-axiX2\ 

[xi.yi) + {X2,y2) = — — ^ ,- ^ 

\l + dxiX2yiy2 I ~ dxiX2yiy2 J 



The neutral element is O = (0,1), and the negative of {xi,yi) is {—xi,yi). The point C = (0,-1) has 
order 2. The points at infinity fii = (1 : : 0) and = (0 : 1 : 0) are singular and blow up to two points 
each. 

Edwards curves received a lot of attention because the above addition can be computed very efficiently, 
resulting in highly efficient algorithms to carry out scalar multiplication, a basic tool for many cryptographic 
protocols. 
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The name twisted Edwards curves comes from the fact that the set of twisted Edwards curves is invariant 
under quadratic twists while a quadratic twist of an Edwards curve is not necessarily an Edwards curve. In 
particular, let 6 ^ K\ and let = 6 for some a in a quadratic extension K2 of K. The map e : {x, y) 1— >■ 
{ax, y) defines a _fir2-isomorphism between the twisted Edwards curves '&aS,dS and ^a,d- Hence, the map e is 
the prototype of a quadratic twist. Note that twists change the x-coordinate unlike on Weierstrass curves 
where they affect the y-coordinate. 

We now study the intersection of ^a.d with certain plane curves and explain the Edwards addition law 
in terms of the divisor class arithmetic. We remind the reader that the divisor class group is defined as the 
group of degree-0 divisors modulo the group of principal divisors in the function field of the curve, i.e. two 
divisors are equivalent if they differ by a principal divisor. For background reading on curves and Jacobians, 
we refer to [17| and 33 1. 

[Xq : Yo : ^0) e ^"^{K) with Zq / 0. 
-YqZ = 0; and let L2 p be the line 



Let P^(i^) be the two-dimensional projective space over K , and let P - 
Let Lip be the line through P and ili, i.e. Lip is defined by ZqF 
through P and f22, i. e. L2,p is defined by ZqX — XqZ = 0. 

Let (j){X,Y,Z) = cx2X^ + cy^Y'^+cz2Z^ + cxyXY + cxzXZ + cyzYZ e K[X,Y,Z] be a homogeneous 
polynomial of degree 2 and C : 4i{X,Y,Z) = 0, the associated plane (possibly degenerate) conic. Since the 
points f2i, r22, O' are not on a line, a conic C passing through these points cannot be a double line and </> 
represents C uniquely up to multiplication by a scalar. Evaluating </> at fii, f22, and O', we see that a conic 
C through these points has the form 



C : cz2 {Z^ + YZ) + cxyXY + cxzXZ = 0, 



where (0^2 : cxy '■ cxz) G P^(i^). 



(1) 



Theorem 1. Let 'Eia.d be o. twisted Edwards curve over K , and let Pi = (Xi : Yi : Zi) and P2 = {X2 '■ Y2 : 
Z2) he two affine, not necessarily distinct, points on Ea.d(_R'). Let C he the conic passing through fii, VL2, O' , 
Pi , and P2 , i. e. C is given hy an equation of the form ([l} . // some of the ahove points are equal, we consider 
C and Ea^d to intersect with at least that multiplicity at the corresponding point. Then the coefficients in 
([T]) of the equation (j) of the conic C are uniquely ( up to scalars ) determined as follows: 

(a) If Pi ^ P2, Pi ^ O' and P2 ^ O' , then 



Cz2 

Cxy 
Cxz 



XiX2{YiZ2 
Zi Z2 {Xi Z2 



Y2ZI), 

X2ZI + XIY2 



X2YI), 



X2Y2Zf — X1Y1Z2 + YiY2{X2Zi — X1Z2 



(h) If Pi ^P2 = 0', then cz2 
(c) If Pi = P2, then 



-Xi, Cxy — Zi, Cxz — Zi. 

cz2 = XiZi{Zi-Yi), 

CXY = dXlYi~Zl, 

cxz = Zi{ZiYi-aXl). 



Proof. If the points are distinct, the coefficients are obtained by evaluating the previous equation at the 
points Pi and P2- We obtain two linear equations in cz2,cxy, and cxz 

Cz2{ZI+YiZi) + cxyXiYi+cxzXiZi = 0, 

Cz2{ZI+Y2Z2)+CxyX2Y2+CxzX2Z2 - 0. 

The formulas in (a) follow from the (projective) solutions 



CZ2 



XiYi XiZi 
X2Y2 X2Z2 



Cxy 



XiZi Zi + YiZi 
6 



X2Z2 Z\ + Y2Z2 



, Cxz 



zl 
zl 



YiZi XiYi 
Y2Z2 X2Y2 



If Pi = -P2 7^ O' , we start by letting Zi = 1, Z = 1 in the equations. The tangent vectors at the non 
singular point Pi = {Xi : Yi : 1) of Ea.d and of C are 

/ dXfYi -Yi \ ( ^cz2 - cxyXi \ 
\ aXi - dXiY^ ) ■' \ cxyYi +cxz )' 

They are coUinear if the determinant of their coordinates is zero which gives us a linear condition in the 
coefficients of 4>. We get a second condition by (j){Xx,Yi,l) = 0. Solving the linear system, we get the 
projective solution 

= Xl{-dY^ +a)=Xi{l- Yl) = XiiYi + 1)(1 - Fi), 
cxY = 2dXlY^ -Yi- Y^ + dXlYi - aXf 

= -I-Y1+ dXfYl + dXlYi = {Yi + l)(dXfYi - 1), 
cxz = -dXlY{'-aX^ + Y^ + Y{' = {Yi + l)iYi-aXf) 

using the curve equation aXi + Yi = 1 + dXfY^ to simplify. Finally, since Pi ^ O' , we can divide 
by 1 + Yi and homogenize to get the result which provides the formulas as stated. The same formulas 
hold if Pi = O' since intersection multiplicity greater than or equal to 3 at C is achieved by setting 
(j) = X{Y + Z) = XY + XZ. 

Assume now that Pi ^ P2 — O' . Note that the conic C is tangent to Ea,d at C if and only if 
(del)/ dx){0, -1, 1) = {cxYy + cxz z){0, -1,1) = 0, i-e. cxy^cxz- Then (/>= {Y + Z){cz2Z + cxyX). Since 
Pi ^ C, it is not on the line Y + Z — 0. Then we get cz^Zi + cxyXi = and the coefficients as in (b). □ 

Let Pi and P2 be two affine if-rational points on a twisted Edwards curve Ea,d, and let P3 = {X3 : Y3 : 
Z3) = Pi + P2 be their sum. Let 

h = Z3Y - Y^Z, h = X 

be the polynomials of the horizontal line Li.p^ through P3 and the vertical line -^2,0 through O respectively, 
and let 

= CZ2 {Z^ + YZ) + cxyXY + cxzXZ 

be the unique polynomial (up to multiplication by a scalar) defined by Theorem [TJ The following theorem 
shows that the group law on a twisted Edwards curve indeed has a geometric interpretation involving the 
above equations. It gives us an important ingredient to compute Miller functions. 

Theorem 2. Let a,d Cz K* with a ^ d and let ^a,d be a twisted Edwards curve over K. Let PijPj G 
l^a,d{K). Define P3 = Pi + P2. Let 4>, li, I2 be defined as above. Then we have 

div (1^) ^ (Pi) + (P2) - (P3) - (O). (2) 

Proof. Let us consider the intersection divisor (C ■ Ea,d) of the conic C : cf) ~ and the singular quartic 
Ea,d- Bezout's Theorem [1^ p. 112] tells us that the intersection of C and Ea^d should have 2-4 = 8 points 
counting multiplicities over K. We note that the two points at infinity fli and fl2 are singular points of 
muhiphcity 2. Moreover, by definition of the conic C, (Pi) + (P2) + (C) + 2(rJi) + 2{n2) < (C • E^^d)- 
Hence there is an eighth point Q in the intersection. Let Pi,q : Iq = he the horizontal line going through 
Q. Since the inverse for addition on twisted Edwards curves is given by {x,y) 1— > (— x, y), we see that 
(Pi,Q • Ea,d) = (Q) + (-Q) - 2(1^2). On the other hand (La^o • ^a,d) = (O) + {O') - 2(r!i). Hence by 
combining the above divisors we get div (^j^^ ^ (Pi) + (P2) — i^Q) — (O). By unicity of the group law 
with neutral element O on the elliptic curve Ea.d 33, Prop. 3. 4], the last equality means that P3 = —Q. Hence 
{Li.p.-Ea.d) = (P3)+(-P3)-2(r!2) = (-Q)+{Q)-2{n2)^ndli=lQ. So div (^) ^ (Pi)+(P2)-(P3)-(0). 

□ 
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Remark 3. From the proof, we see that Pi + P2 is obtained as the mirror image with respect to the y-axis 
of the eighth intersection point of^a,d o,nd the conic C passing through ^li^Q,2,0' , Pi and P2. 

Example 4. As an example we consider the Edwards curve Ei,_3o : + = 1 — SOx^y^ over the set of 
real numbers M. We choose the point Pi with x-coordinate xi = —0.6 and P2 with x-coordinate X2 = 0.1. 
Figure 1(a) shows addition of different points Pi and P2, and Figure 1(b) shows doubling of the point Pi. 










1 


^1,P3 P3 / 




~7^pr\ 










/ Ei,_3o 




O' 




(a) Pi ^ P2, Pi, Pa ^ O', P3 = Pi + P2 
Figure 1: Geometric interpretation of the group law on 

5. Formulas for Pairings on Edwards Curves 

In this section we show how to use the geometric interpretation of the group law to compute pairings. 
We assume that k is even and that the second input point Q is chosen by using the tricks in [2] and ^ : Let 



have basis {l,a} over with a 



6 e and let Q' 



(Xo : Yo : Zq) e ^a5MF„^/2). Twisting 



Q' with a ensures that the second argument of the pairing is on Ea.diFqk) (and no smaller field) and is of 
the form Q = {Xoa : Yq : Zq), where Xq, Yq, Zq e Fgk/2 . 

By Theorem [2] we have gn^s = j^- In each step of the Miller loop first 5^.5 is computed, it is then 
evaluated at Q = (Xoa : Yq : Zq) and finally / is updated as / ^ f'gR,p{Q) (addition) or as / ^ f^-9RM{Q) 
(doubling). Given the shape of 4> and the point Q — (Xoa : Yq : Zq), we see that we need to compute 

cz2 {Z^ + YqZq) + cxyXquYq + cxzXqZqu 



hi. 



-{XQa : Yq : Zq) = 



Zo+Y„ , 
XoS ' 



{Z3Y0 - Y3ZQ)XQa 
+ cxyVo + cxz 



ZaVo - Y3 
{cz2rja + cxyVq + cxz)Flk/2, 



where (X3 : ¥3 : Z3) are coordinates of the point R + P or R + R, yo = Yq/Zq, and r] = ^'^J" ■ 
that 77, 2/0 G Fgfc/2 and that they are fixed for the whole computation, so they can be precomputed. 



Note 
The 



coefficients 0^2, cxy, and cxz are defined over F^, thus the evaluation at Q given the coefficients of the 
conic can be computed in fcm (multiplications by rj and i/q need |m each). 

5.1. Addition steps 

Hisil et al. presented new addition formulas for twisted Edwards curves in extended Edwards form at 
Asiacrypt 2008 0. Let P3 = Pi + P2 for two difi'erent points Pi (Xi : Yi : Zi : Ti) and P2 = {X2 : Y2 : 
Z2 '■ T2) with Zi,Z2 7^ and Ti — XiYi/Zi. Theorem [T] (a) states the coefficients of the conic section for 
addition. We use Ti,T2 to shorten the formulas. 

cz2 = XiX2{YiZ2-Y2Zi) = ZiZ2{TiX2-XiT2), 

CXY = ZiZ2(XiZ2 - Z1X2 + X1Y2 — Y1X2), 

CXZ = X2Y2Zl-XiYiZl + YiY2{X2Zi-XiZ2) 
= ZiZ2{ZiT2-TiZ2 + YiT2-TiY2). 



Note that all coefficients are divisible by Z\Zi 7^ and so we scale the coefficients. The explicit formulas 
for computing P3 = Pi + P2 and (0^2 , cxy, cxz) are given as follows: 

A = Xi- X2; B = Yi-Y2; C = Zx-T2] D ^Ti - Z2] E = D + C; 

F = {Xi - Yi) ■ {X2 + Y2) + B - A- G = B + aA- H = D - C- I = Ti ■ T2; 

cz2 = {Ti-Xi)-{T2+X2)-I + A; cxY=Xi-Z2-X2-Zi+F; 

cxz - {Yi-Ti)-{Y2+T2)-B + I~H- 

X3 = E ■ F; Y3 ^ G ■ H; T3 ^ E ■ H; Z3 ^ F ■ G. 

With these formulas P3 and {cz^ , cxy,cxz) can be computed in lM+(fc+14)m+lma, where ma denotes the 
costs of a multiplication by a. If the base point P2 has Z2 = 1, the above costs reduce to lM+(fc+12)m+lma. 
We used Sage [3Jj to verify the explicit formulas. 

5.2. Doubling steps 

Theorem [T] (c) states the coefficients of the conic section in the case of a doubling step. To speed up the 
computation we multiply each coefficient by —2Yi/Zi] remember that is unique up to scaling. Note also 
that Yi,Zi ^0 because we assume that all points have odd order. The multiplication by Yi/Zi reduces 
the overall degree of the equations since we can use the curve equation to simplify the formula for cxy', the 
factor 2 is useful in obtaining an s — m tradeoff in the explicit formulas below. We obtain: 

cz2 - Xi{2Y^^ -2YiZi), 

CXY = 2{YiZl - dXlY^)/Zi = 2{YiZl - Zl{aXl + Y^) + Zl)/Zi 

= Zi{2{Zl-aXl-Yl) + 2Y^Z^), 

cxz = Yi{2aXf-2YiZi). 

Of course we also need to compute P3 = 2Pi . We use the explicit formulas from Q for the doubling and 
reuse subexpressions in computing the coefficients of the conic. The formulas were checked for correctness 
with Sage [3^. Since the input is given in extended form as Pi — {Xi : Yi : Zi : Ti) we can use Ti in the 
computation of the conic as 

cz2 = Xi{2Y^^ -2YiZi)=2ZiYi{Ti-Xi), 
CXY = Zi{2{Zf-aX^-Y,^) + 2YiZi), 
cxz = Yi{2aXf~2YiZi)=2Zi{aXiTi-Y,^), 

and then scale the coefficients by 1/Zi. The computation of P3 — {X3 -.Y^ : Z3 : T3) and {cz2,cxy,cxz) is 
then done in IM + IS + (fc + 6)m + 5s + 2ma as 

A = Xl; B = Y^- G = Zl-D = {Xi+Yif; E = {Yi+Zif; 

F = D - {A + B); G = E - {B + G); H = aA; I = H + B; J = C - F, 

K = .J + G; cz2=2Yi-{Ti-Xi); cxY=2J + G; cxz = 2{aXi-Ti-B); 

X3 = F-K; Y3 = I-{B-H); Z3 = I-K; T3 = F-{B-H). 

Note that like in [2^ we can save Ima per doubling by changing to the extended representation only 
before an addition. 

6. Operation counts 

We give an overview of the best formulas in the literature for computing the Tate pairing on Edwards 
curves and on the different forms of Weierstrass curves in Jacobian coordinates. We compare the results 
with our new pairing formulas for Weierstrass and Edwards curves. 

Throughout this section we assume that k is even, that the second input point Q is given in affine 
coordinates, and that quadratic twists are used so that multiplications with rj and yg take (fc/2)m each. 
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6.1. Overview 

Chatterjee, Sarkar, and Barua Q study pairings on Weierstrass curves in Jacobian coordinates. Their 
paper does not distinguish between multiphcations in and in F^t but their results are easily translated. 
For mixed addition steps their formulas need IM + (fc + 9)m + 3s, and for doubling steps they need 
IM + (fc + 7)m + IS + 4s if 04 = —3. For doubling steps on general Weierstrass curves (no condition on 04) 
the formulas by lonica and Joux [23] are fastest with IM + (fc + l)m + IS + lis. 

Actually, any mixed addition step (mADD) or addition step (ADD) in Miller's algorithm needs IM + fcm 
for the evaluation at Q and the update of /; each doubling step (DBL) needs IM + fcm+lS for the evaluation 
at Q and the update of /. In the following we do not comment on these costs since they do not depend on 
the chosen representation and are a fixed offset. We also do not report these expenses in the overview table. 

Hankerson, Menezes, and Scott [2l[ study pairing computation on Barreto-Naehrig 0] curves. All BN 
curves have the form y'^ = + ae and are thus more special than curves with 04 = —3 or Edwards curves. 
They need 6m + 5s for a doubling step and 9m + 3s for a mixed addition step. Very recently, Costello et 



al. [11| presented explicit formulas for pairings on curves of the form y = + b , i.e. 04 = and ag is a 



square. Their representation is in projective rather than Jacobian coordinates. 

To the best of our knowledge our paper is the first to publish full (non-mixed) addition formulas for 
Weierstrass curves. Note that [11[ started after our results became public. 

Das and Sarkar [l3| were the first to publish pairing formulas for Edwards curves. We do not include 
them in our overview since their study is specific to supersingular curves with k — 2. lonica and Joux [23j 
proposed the thus far fastest pairing formulas for Edwards curves. Note that they actually compute the 
4th power Tn{P,QY of the Tate pairing. This has almost no negative effect for usage in protocols. So we 
include their result as pairings on Edwards curves. 

We denote Edwards coordinates by £, projective coordinates by "P, and Jacobian coordinates by J. 
Morain [27| showed that 2-isogenies reach a = 1 from any twisted Edwards curve; we therefore omit ma in 
the table. 





DBL 


niADD 


ADD 


J, [23], f8] 


Im + lis + lma4 


9m + 3s 




J, [23], this paper 


Im + lis + lma4 


6m + 6s 


9m + 6s 


J,ai = -3, [8] 


7m + 4s 


9m + 3s 




J^ttA — —3, this paper 


6m + 5s 


6m + 6s 


9m + 6s 


J, 04 = 0, f9], [8] 


6m + 5s 


9m + 3s 




J, 04 = 0, this paper 


3m + 8s 


6m + 6s 


9m + 6s 


V,ai = 0,06 = 6^ 


3m + 5s 


10m + 2s+ Imb 


13m + 2s + Imb 


f , [23] 


8m + 4s + Imd 


14m + 4s + Imd 




this paper 


6m + 5s 


12m 


14m 



6.2. Comparison 

The overview shows that our new formulas for Edwards curves solidly beat all previous formulas published 
for Tate pairing computation on Edwards curves. 

Our new formulas for pairings on arbitrary Edwards curves are faster than all formulas previously known 
for Weierstrass curves except for the very special curves with 04 = 0. Specifically mixed additions on Edwards 
curves are slower by some s — m tradeoffs but doublings are much more frequent and gain at least an s — m 
tradeoff each. 

The curves considered in [ll| are extremely special: For p = 2 mod 3 these curves are supersingular and 
thus have k = 2. For p = 1 mod 3 a total of 3 isomorphism classes is covered by this curve shape. They 
have faster doublings but slower additions and mixed additions than Edwards curves. 

Our own improvements to the doubling and addition formulas for Weierstrass curves beat our new 
formulas for Edwards curves with affine base point by several s — m tradeoffs. However, in many protocols 
the pairing input P is the output of some scalar multiplication and is thus naturally provided in non-affine 
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form. Whenever converting P to affine form is more expensive than proceeding in non-affine form, aU 
additions are full additions. A full addition on an Edwards curve needs one field operation less than on 
Weierstrass curves. Depending on the frequency of addition and the s/m ratio the special curves with a4 = 
might or might not be faster. For all other curves, Edwards form is the best representation. Furthermore, 
scalar multiplications on Edwards curves are significantly faster than on Weierstrass curves. 

Our new formulas for mixed addition steps (mADD) and doubling steps (DBL) on Weierstrass curves 
are faster than all previous ones by several s — m tradeoffs. Our formulas for full addition (ADD) are the 
only ones in the literature for most Weierstrass curves; for those with 04 = and ag = they are faster 
than those in [ll|] for any s/m ratio. 

We note here that for curves in Weierstrass form the ate pairing is more efficient than the Tate pairing, 
in particular when the R-ate pairing or optimal pairings with a very short loop in Miller's algorithm are 
computed, and when twists of degree 4 and 6 are used to represent torsion points. Our comparison only 
refers to Tate pairing computation. 

Further research needs to focus on how to compute variants of the ate pairing on Edwards curves. To 
obtain the same or better efficiency as the fastest pairings on Weierstrass curves, it needs to be clarified 
whether optimal ate pairings can be computed and whether the above mentioned high-degree twists can be 
used as well for suitable pairing- friendly curves in Edwards form. Some initial results are presented in [l2j . 

7. Construction of Pairing-Priendly Edwards Curves 

The previous chapter showed that pairing computation can benefit from Edwards curves. Most construc- 
tions of pairing-friendly elliptic curves in the literature aim at a prime group order and thus in particular 
do not lead to curves with cofactor 4 that can be transformed to Edwards curves. Galbraith, McKee, and 
Valenga [31 showed how to use the MNT construction to produce curves with small cofactor. Some other 
constructions that allow to find curves with cofactor divisible by 4 are described by Freeman, Scott, and 
Teske 

To ensure security of the pairing based system two criteria must be satisfied: The group E{Fp) must 
have a large enough prime order subgroup so that generic attacks are excluded and must be large enough 
so that index calculus attacks in F*^ are excluded. For efficient implementation, we try to minimize p and k 
to minimize the cost of arithmetic in Fp and Fpk and minimize n to minimize the length of the Miller loop. 
This has the effect of balancing the difficulty of the DLPs on the curve and in the multiplicative group of 
the finite field Ypk . 

Following the ECRYPT recommendations p^], the "optimal" bitsizes of the primes p and n for curves 
E/Fp with n \ ^E(Fp) and n prime are shown in Table [1] for the most common security levels. For these 
parameters, the DLP in the subgroup of E{Fp) of order n is considered equally hard as the DLP in F*fc. In 
order to transform the curve to an Edwards curve, we need to have ^E{Fp) = Ahn for some cofactor h. It 
follows that the rho- value p = log(p)/ log(n) of E is always larger than 1. The recommendations imply a 
desired value for p ■ k as displayed in Table [TJ which should be achieved with an even embedding degree to 
favor efficient implementation. This means that p cannot be kept minimal but we managed to minimize n 
to keep the Miller loop short. 

In the following section we present six examples of pairing-friendly Edwards curves with embedding 
degrees k e {6, 8, 10, 22}, which cover the security levels given in Table [TJ 



security 


80 


96 


112 


128 


160 


256 


log2(^^) 


160 


192 


224 


256 


320 


512 


logalp") 


1248 


1776 


2432 


3248 


4800 


15424 


p ■ k 


7.80 


9.25 


10.86 


12.67 


15 


30.13 



Table 1: "Optimal" bitsizes for the primes n and p and the corresponding values for p ■ k for most common security levels. 
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8. Examples of Pairing-Friendly Edwards Curves 



This section presents pairing-friendly Edwards curves. Note that they were constructed for applications 
using the Tate pairing so that the curve over the ground field has a point of order 4. They are all defined 
over a prime field Fp, and the p values are stated with the curves. Notation is as before, where the number 
of Fp-rational points on the curve is Ahn. 

The curve examples in this section cover the security levels in Tabled] We used the method and formula 

in 



1J| to determine the effective security in bits on the curve and in the finite field. 



8.0.1. Security level 80 hits (generic: 82 hits, index calculus: 19 hits): 
fc = 6, p = 1.22 following ^ i 

D = 7230, riog(n)l = 165, \\og{h)] = 34, [log(p)l = 201, k\\og{p)] = 1206 

p = 2051613663768129606093583432875887398415301962227490187508801, 

n = 44812545413308579913957438201331385434743442366277, 

h = 7 • 733 • 2230663, 

d = 1100661309421493056836745159318889208210931380459417578976626. 



8.0.2. Security level 96 hits (generic: 95 hits, index calculus: 93 hits): 
fc = 6, p = 1.48 following [H]: 

D = 4630, riog(n)] = 191, \\og{h)'\ = 90, riog(p)] = 283, fc[log(p)l = 1698 

p = 12076422473257620999622772924220230535655104285600826357856070179619031510615886361601, 

n = 2498886235887409414948289020220476887707263210939845485839, 

h = 11161 ■ 19068349 • 5676957216676051, 

d = 2763915426899189358845059350727381504946815286189972438681082636399984067165911590884. 



8.0.3. Security level 112 hits (generic: 112 hits, index calculus: 117 hits): 
k = 8, p ~ 1.50 following Example 6.10 in [l6|: 

D^l, riog(n)l = 224, riog(/i)] =111, riog(p)] = 337, k\\og{p)] = 2696 

p = 2337736653699105669260383900156918881424547469292956866896259132890909437035723 

48756028778874481604289 
n = 22985796260053765810955211899935144604417092746113717429138553265289 
h = 315669989 • 558193107149 ■ 14429732414341 

d = 2137384144163601288355195724634322855348958454823252387999763620028079615999998 
48556640836158104712032 
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8.0.4- Security level 128 hits (generic: 133 bits, index calculus: 127 hits): 
k = 8, p = 1.50 following Example 6.10 in [igt: 

Z? = 1, riog(7i)l = 267, riog(ft)l = 133, riog(p)] = 401, fcriog(p)l = 3208 

p = 5106500003052745062671102775396566649855857676935384847563820321458497449535443 

6071209268470508469629312810691036880709, 
n = 8337030425086788445100704671763896482549397437850042633596560118040562641504433, 
/i = 5 • 17 • 1229 ■ 3181 • 4608053164778689785613892277341, 

d = 2553250001526372531335551387698283324927928838467692423781910160729248724767721 
8035604634235254234814656405345518440355, 



8.0.5. Security level 160 hits (generic: 164 bits, index calculus: 154 hits): 

fc=:10,p=1.49 following Construction 6.5 in [l6j : 

D^l, riog(n)] = 328, [logih)] = 160, {logip)] ^ 490, k\\og{p)] = 4900 

p = 319667071934078971315677746964738362812713703914060344412320604868708613896665173327525 

2543330209754427990875101879841425427646115157594515629491249, 
n = 546812704438652190176048473638362779688423061794499756311925945545462152449512232744941 

959488864241, 
ft = 2'' • 70199* • 7831391*, 

d = 366838958032886838857360394166535857747556934852621175164120734346101628194129743602008 
259319768868802620569094456792293200142806009932471922115210. 



8.0.6. Security level 256 bits (generic: 259 hits, index calculus: 259 hits): 
k — 22, p — 1.39 following Construction 6.6 in fl6|: 

7^ = 3, riog(n)l = 519, [log(/i)l = 204, \\og[p)^ = 724, k\\og{p)-\ = 15928 

p = 793243907836538225101919663581953770913765580662849594203574636874518836858270555160144 
920983827280386815433912190214824741372960533715598691121880716182459140439367767771926 
66177113943586415044911851669785290654695123, 

n = 962131187808560377898569195262572710988984869464755002509459666178069262628367282191252 
973105101373704953818660670550658659790389637917606342501732923486369, 

h = 3^ • 7 ■ 13^ • 19^ • 37^ ■ 6421^ ■ 7219 ■ 3498559^ • 22526869^ ■ 78478074679, 

d = 264414627547939780810839826727395383259987444981352560753582877086320074680650633780571 
920373615518032509200852332864216413041328949865016666759728218019456097204687710831048 
17656092016879614901160245443945786256399518. 
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